File name:

XwormRAT V3.1.7.rar

Full analysis: https://app.any.run/tasks/613b8cf9-a685-43ad-8619-523d754ab1b2
Verdict: Malicious activity
Threats:

XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails.

Malware Trends Tracker     >>>
Analysis date: August 24, 2024, 13:26:09
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
telegram
xworm
xor-url
generic
netreactor
crypto-regex
ip-check
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

AAFBE273C8423746DAACCBA0D724FD0B

SHA1:

560E51EE7AE9DBCA88E4FD970A2BB1C065B58502

SHA256:

9F6536A94D20CEE198C4159E3FC677460532929B12DECD85D8E2EB51B4A515DF

SSDEEP:

98304:o0rHJSdDMXWcHi8YSotAMN81YBD0guShQOHpcR4gttOzreSGA0uHHrzMJ8ny1NQK:PIJossTsiRPd7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Create files in the Startup directory

      • XClient.exe (PID: 964)

    • Uses Task Scheduler to run other applications

      • XClient.exe (PID: 964)

    • Changes the autorun value in the registry

      • XClient.exe (PID: 964)

    • XWORM has been detected (YARA)

      • XClient.exe (PID: 964)

    • XORed URL has been found (YARA)

      • XWorm.exe (PID: 6176)
      • XWorm.exe (PID: 6000)

  • SUSPICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 6640)
      • Xworm.exe (PID: 6008)
      • XClient.exe (PID: 964)

    • Executable content was dropped or overwritten

      • Xworm.exe (PID: 6008)
      • XClient.exe (PID: 964)

    • Reads security settings of Internet Explorer

      • Xworm.exe (PID: 6008)
      • XClient.exe (PID: 964)
      • Xworm.exe (PID: 6732)
      • Xworm.exe (PID: 240)

    • Reads the date of Windows installation

      • Xworm.exe (PID: 6008)
      • XClient.exe (PID: 964)
      • Xworm.exe (PID: 240)
      • Xworm.exe (PID: 6732)

    • Likely accesses (executes) a file from the Public directory

      • schtasks.exe (PID: 6376)
      • XClient.exe (PID: 7008)
      • XClient.exe (PID: 6580)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • XClient.exe (PID: 964)

    • The process executes via Task Scheduler

      • XClient.exe (PID: 7008)
      • XClient.exe (PID: 6580)

    • There is functionality for capture public ip (YARA)

      • XWorm.exe (PID: 6176)

    • Found regular expressions for crypto-addresses (YARA)

      • XWorm.exe (PID: 6176)

    • The process checks if it is being run in the virtual environment

      • XWorm.exe (PID: 6176)

    • Potential Corporate Privacy Violation

      • svchost.exe (PID: 2256)

  • INFO

    • Manual execution by a user

      • WinRAR.exe (PID: 6924)
      • cmd.exe (PID: 6540)
      • Xworm.exe (PID: 240)
      • Xworm.exe (PID: 6732)

    • Checks supported languages

      • Xworm.exe (PID: 6008)
      • XClient.exe (PID: 964)
      • XWorm.exe (PID: 6176)
      • XClient.exe (PID: 7008)
      • XClient.exe (PID: 6580)
      • Xworm.exe (PID: 240)
      • XClient.exe (PID: 420)
      • XWorm.exe (PID: 6000)
      • Xworm.exe (PID: 6732)
      • XClient.exe (PID: 6768)
      • XWorm.exe (PID: 1084)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 6924)

    • Reads the computer name

      • Xworm.exe (PID: 6008)
      • XClient.exe (PID: 964)
      • XWorm.exe (PID: 6176)
      • XClient.exe (PID: 7008)
      • XClient.exe (PID: 6580)
      • Xworm.exe (PID: 240)
      • XWorm.exe (PID: 6000)
      • Xworm.exe (PID: 6732)
      • XClient.exe (PID: 420)
      • XWorm.exe (PID: 1084)
      • XClient.exe (PID: 6768)

    • Reads the machine GUID from the registry

      • Xworm.exe (PID: 6008)
      • XClient.exe (PID: 964)
      • XWorm.exe (PID: 6176)
      • XClient.exe (PID: 7008)
      • XClient.exe (PID: 6580)
      • XWorm.exe (PID: 6000)
      • Xworm.exe (PID: 6732)
      • Xworm.exe (PID: 240)
      • XClient.exe (PID: 420)
      • XWorm.exe (PID: 1084)
      • XClient.exe (PID: 6768)

    • Creates files or folders in the user directory

      • Xworm.exe (PID: 6008)
      • XWorm.exe (PID: 6176)
      • XClient.exe (PID: 964)

    • Process checks computer location settings

      • Xworm.exe (PID: 6008)
      • XClient.exe (PID: 964)
      • Xworm.exe (PID: 240)
      • Xworm.exe (PID: 6732)

    • Disables trace logs

      • XClient.exe (PID: 964)

    • Reads the software policy settings

      • XClient.exe (PID: 964)

    • Reads Environment values

      • XClient.exe (PID: 964)

    • Checks proxy server information

      • XClient.exe (PID: 964)

    • Attempting to use instant messaging service

      • XClient.exe (PID: 964)
      • svchost.exe (PID: 2256)

    • .NET Reactor protector has been detected

      • XWorm.exe (PID: 6176)
      • XWorm.exe (PID: 6000)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

XWorm

(PID) Process(964) XClient.exe
C2Viiper1337-29699.portmap.host:29699
Keys
AES<123456789>
Options
Splitter<Xwormmm>
Sleep time3
USB drop nameUSB.exe
Mutex0J5prv3fehnur4Jz

xor-url

(PID) Process(6176) XWorm.exe
Decrypted-URLs (8)http://ip-api.com/csv/?fields=status,query#
http://www.example.com/File.exe!
http://www.example.com/File.exe)
http://www.example.com/XClient.exe*
https://pastebin.com/raw/H3wFXmEi+
https://t.me/XCoderGroup)
https://t.me/XCoderTools+
https://www.google.com/maps/place/$
(PID) Process(6000) XWorm.exe
Decrypted-URLs (8)http://ip-api.com/csv/?fields=status,query#
http://www.example.com/File.exe!
http://www.example.com/File.exe)
http://www.example.com/XClient.exe*
https://pastebin.com/raw/H3wFXmEi+
https://t.me/XCoderGroup)
https://t.me/XCoderTools+
https://www.google.com/maps/place/$
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
142
Monitored processes
19
Malicious processes
7
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe winrar.exe rundll32.exe no specs cmd.exe no specs conhost.exe no specs xworm.exe #XWORM xclient.exe #XOR-URL xworm.exe schtasks.exe no specs conhost.exe no specs svchost.exe xclient.exe no specs xclient.exe no specs xworm.exe no specs xclient.exe no specs #XOR-URL xworm.exe no specs xworm.exe no specs xclient.exe no specs xworm.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
240"C:\Users\admin\Desktop\XwormRAT V3.1.7\XwormRAT V3.1.7\Xworm V3.1.7z\src\Xworm.exe" C:\Users\admin\Desktop\XwormRAT V3.1.7\XwormRAT V3.1.7\Xworm V3.1.7z\src\Xworm.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\xwormrat v3.1.7\xwormrat v3.1.7\xworm v3.1.7z\src\xworm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
420"C:\Users\admin\AppData\Roaming\XClient.exe" C:\Users\admin\AppData\Roaming\XClient.exeXworm.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\xclient.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
964"C:\Users\admin\AppData\Roaming\XClient.exe" C:\Users\admin\AppData\Roaming\XClient.exe
Xworm.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\xclient.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
XWorm
(PID) Process(964) XClient.exe
C2Viiper1337-29699.portmap.host:29699
Keys
AES<123456789>
Options
Splitter<Xwormmm>
Sleep time3
USB drop nameUSB.exe
Mutex0J5prv3fehnur4Jz
1084"C:\Users\admin\AppData\Roaming\XWorm.exe" C:\Users\admin\AppData\Roaming\XWorm.exeXworm.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\xworm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1920\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2256C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
6000"C:\Users\admin\AppData\Roaming\XWorm.exe" C:\Users\admin\AppData\Roaming\XWorm.exe
Xworm.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\xworm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
xor-url
(PID) Process(6000) XWorm.exe
Decrypted-URLs (8)http://ip-api.com/csv/?fields=status,query#
http://www.example.com/File.exe!
http://www.example.com/File.exe)
http://www.example.com/XClient.exe*
https://pastebin.com/raw/H3wFXmEi+
https://t.me/XCoderGroup)
https://t.me/XCoderTools+
https://www.google.com/maps/place/$
6008Xworm.exe C:\Users\admin\Desktop\XwormRAT V3.1.7\XwormRAT V3.1.7\Xworm V3.1.7z\src\Xworm.exe
cmd.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\xwormrat v3.1.7\xwormrat v3.1.7\xworm v3.1.7z\src\xworm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
6176"C:\Users\admin\AppData\Roaming\XWorm.exe" C:\Users\admin\AppData\Roaming\XWorm.exe
Xworm.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\xworm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
xor-url
(PID) Process(6176) XWorm.exe
Decrypted-URLs (8)http://ip-api.com/csv/?fields=status,query#
http://www.example.com/File.exe!
http://www.example.com/File.exe)
http://www.example.com/XClient.exe*
https://pastebin.com/raw/H3wFXmEi+
https://t.me/XCoderGroup)
https://t.me/XCoderTools+
https://www.google.com/maps/place/$
6376"C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Public\XClient.exe"C:\Windows\System32\schtasks.exeXClient.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
23 000
Read events
22 923
Write events
77
Delete events
0

Modification events

(PID) Process:(6640) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(6640) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(6640) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:(6640) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\XwormRAT V3.1.7.rar
(PID) Process:(6640) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6640) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6640) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6640) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(6640) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000200000003000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3D0000002D000000FD03000016020000
(PID) Process:(6640) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\General
Operation:writeName:LastFolder
Value:
C:\Users\admin\Desktop
Executable files
10
Suspicious files
3
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
6924WinRAR.exeC:\Users\admin\Desktop\XwormRAT V3.1.7\XwormRAT V3.1.7\Xworm V3.1.7z\src\Fixer.battext
MD5:2DABC46CE85AAFF29F22CD74EC074F86
SHA256:A11703FD47D16020FA099A95BB4E46247D32CF8821DC1826E77A971CDD3C4C55
6924WinRAR.exeC:\Users\admin\Desktop\XwormRAT V3.1.7\XwormRAT V3.1.7\Xworm V3.1.7z\src\FastColoredTextBox.dllexecutable
MD5:B746707265772B362C0BA18D8D630061
SHA256:3701B19CCDAC79B880B197756A972027E2AC609EBED36753BD989367EA4EF519
6924WinRAR.exeC:\Users\admin\Desktop\XwormRAT V3.1.7\XwormRAT V3.1.7\Xworm V3.1.7z\src\SimpleObfuscator.dllexecutable
MD5:9043D712208178C33BA8E942834CE457
SHA256:B7A6EEA19188B987DAD97B32D774107E9A1BEB4F461A654A00197D73F7FAD54C
6924WinRAR.exeC:\Users\admin\Desktop\XwormRAT V3.1.7\XwormRAT V3.1.7\Xworm V3.1.7z\src\Readme.txttext
MD5:85122AD50370F9A829B6602384B1B644
SHA256:444CBC7B57B4A6198EE1474FD9623E1AFCB8C7A0B180F05E961A822F4365499B
6176XWorm.exeC:\Users\admin\AppData\Roaming\Fixer.battext
MD5:2DABC46CE85AAFF29F22CD74EC074F86
SHA256:A11703FD47D16020FA099A95BB4E46247D32CF8821DC1826E77A971CDD3C4C55
6008Xworm.exeC:\Users\admin\AppData\Roaming\XWorm.exeexecutable
MD5:B7A300C6953F42F199C2FF903FEAC72F
SHA256:F40B8EF92F828123C81A8B275AB0E29E44B44B3A175E452EEA72A475F6CFAF80
6924WinRAR.exeC:\Users\admin\Desktop\XwormRAT V3.1.7\XwormRAT V3.1.7\Xworm V3.1.7z\src\IconExtractor.dllexecutable
MD5:640D8FFA779C6DD5252A262E440C66C0
SHA256:440912D85D2F98BB4F508AB82847067C18E1E15BE0D8ECDCFF0CC19327527FC2
6176XWorm.exeC:\Users\admin\AppData\Roaming\Intro.wavbinary
MD5:DC28D546B643C5A33C292AE32D7CF43B
SHA256:20DCC4F50EB47CAFDA7926735DF9EF8241598B83E233066EA495D4B8AA818851
6924WinRAR.exeC:\Users\admin\Desktop\XwormRAT V3.1.7\XwormRAT V3.1.7\Xworm V3.1.7z\src\GeoIP.datbinary
MD5:8EF41798DF108CE9BD41382C9721B1C9
SHA256:BC07FF22D4EE0B6FAFCC12482ECF2981C172A672194C647CEDF9B4D215AD9740
6924WinRAR.exeC:\Users\admin\Desktop\XwormRAT V3.1.7\XwormRAT V3.1.7\Xworm V3.1.7z\src\Background.pngimage
MD5:A466FC11F42A6DE40E050C9813947612
SHA256:5047DC90D705A1A50C325FC00B26D5290939C42D6AA727D09E8D21D0537CEC85
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
22
DNS requests
32
Threats
37

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6152
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
5116
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2212
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:138
whitelisted
4296
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
2120
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3260
svchost.exe
40.115.3.253:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6152
SIHClient.exe
20.12.23.50:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
6152
SIHClient.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6152
SIHClient.exe
20.242.39.171:443
fe3cr.delivery.mp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
whitelisted
google.com
  • 142.250.185.238
whitelisted
client.wns.windows.com
  • 40.115.3.253
  • 40.113.103.199
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted
api.telegram.org
  • 149.154.167.220
shared
Viiper1337-29699.portmap.host
malicious
login.live.com
  • 40.126.32.133
  • 40.126.32.72
  • 20.190.160.17
  • 40.126.32.76
  • 40.126.32.136
  • 40.126.32.74
  • 40.126.32.134
  • 40.126.32.140
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted

Threats

PID
Process
Class
Message
2256
svchost.exe
Misc activity
ET HUNTING Telegram API Domain in DNS Lookup
964
XClient.exe
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
964
XClient.exe
Misc activity
ET HUNTING Telegram API Certificate Observed
2256
svchost.exe
Misc activity
ET INFO DNS Query for Port Mapping/Tunneling Service Domain (.portmap .host)
2256
svchost.exe
Potential Corporate Privacy Violation
ET POLICY DNS Query to a Reverse Proxy Service Observed
2256
svchost.exe
Potential Corporate Privacy Violation
ET POLICY DNS Query to a Reverse Proxy Service Observed
2256
svchost.exe
Misc activity
ET INFO DNS Query for Port Mapping/Tunneling Service Domain (.portmap .host)
2256
svchost.exe
Potential Corporate Privacy Violation
ET POLICY DNS Query to a Reverse Proxy Service Observed
2256
svchost.exe
Misc activity
ET INFO DNS Query for Port Mapping/Tunneling Service Domain (.portmap .host)
2256
svchost.exe
Misc activity
ET INFO DNS Query for Port Mapping/Tunneling Service Domain (.portmap .host)
Process
Message
XWorm.exe
The type initializer for 'XWorm.Messages' threw an exception.
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
XwormRAT V3.1.7.rar